We have recently started getting a 401 response with "Requested API is not supported in Admin On-Behalf-Of mode" when calling certain Microsoft endpoints. Specifically,
GET https://graph.microsoft.com/beta/chats/{channelId}/messages/{messageId}
GET https://graph.microsoft.com/v1.0/users/{userId}/joinedTeams
GET https://graph.microsoft.com/v1.0/me/joinedTeams
However this one works
GET https://graph.microsoft.com/v1.0/me
Some information about the setup:
We are using a token with delegated scopes
The token has the required permissions:
AppCatalog.ReadWrite.All
ChannelMessage.Send Chat.Create Chat.Read Chat.ReadWrite
ChatMember.ReadWrite Files.Read.All Files.ReadWrite Sites.Read.All
Sites.ReadWrite.All Team.ReadBasic.All User.Read User.Read.All
User.ReadBasic.All User.ReadWrite.All profile openid email
This has previously worked with the same token
This is happening on the v1.0 and beta endpoints
We tried removing admin consent from each scopes but still faced the
same issue
I cannot find any information in the MS documentation regarding Admin On-Behalf-Of mode and wondered if anyone could shed any light on what we could be doing wrong?
Further Update.
We have now been able to reproduce this on a tenant and has to do with external guest users. These users are able to authenticate into the tenant but you cannot use the token obtained to call some of the Graph API endpoints - Anyone know why this is?
We have tried changing all the settings in External Identities in AAD but still getting the same response on the Graph API endpoints
Related
I'm trying to figure out how to use Microsoft Graph API in order to get information on an Azure AD B2C tenant's Policy Keys. It seems like it should be possible given the following documentation, but I keep getting an InvalidAuthenticationToken error.
Documentation link: https://learn.microsoft.com/en-us/azure/active-directory-b2c/microsoft-graph-get-started?tabs=app-reg-ga
What exactly do I need to do to call the endpoint shown in here (the /trustFramework/keySets endpoint)? https://learn.microsoft.com/en-us/graph/api/trustframework-list-keysets?view=graph-rest-beta&tabs=http
In postman, I'm simply firing off the get request with Basic auth using my Portal credentials. Am I going about this the right way?
I tried to reproduce the same in my environment. and received similar error *InvalidAuthenticationToken*
Then , I checked that I missed to give authorization header with bearer token ,
Which Is required parameter to query that as per : List keySets - Microsoft Graph beta | Microsoft Learn
Below are the scopes , I have given admin consent to. delegated and application permissions like openid offline_access profile User.ReadWrite.All TrustFrameworkKeySet.Read.All Policy.ReadWrite.TrustFramework AuditLog.Read.All
Do a get request at https://login.microsoftonline.com/xxxxxx063/oauth2/v2.0/token to receive a token for the application endpoint in postman with the scope for graph i.e; https://graph.microsoft.com/.default , for that particular tenant (here used tenantId of azure ad b2c).
Give required values like client_id, client_secret for client_credential flow
Then try to query graph using that token :
GET https://graph.microsoft.com/beta/trustFramework/keySets ,
Following above steps with correct values and granting admin consent , I could successfully query the keySets
My question is, does Microsoft Graph work without User.Read scope ? I am not able to request the email profile openid permissions directly.
It throws AccessDenied error. So is User.Read pre requisite for email profile or openid ?
User.Read is just the delegated permission for getting the user profile using MS Graph Get User. If your app does not need to read the user profile you don't need this permission but in most cases you do because you app is acting on behalf of the user.
Does Microsoft Graph work without User.Read scope ?
No, but in most cases, you need the scope to read user profile and call /me endpoints.
You should check the api document to see if calling that api required User.Read permission.
For instance: I wanna call this api to list emails, and we can see that this api provides 2 kinds of permissions, one is for delegate, another is for application(this means client credential flow is supported). All the api permissions are listed here and we need to go to azure ad portal to add the api permission to your azure ad application which used to generate access token.
After generating the access token, you can user jwt decode tool to check if your access token contains correct scopes(for delegate permission) or roles(for application permission). Using a correct token to call the api will not lead to AccessDenied error. By the way, newly added permission may be deferrable to take effect.
I am making an application for Microsoft Teams.
Must get the teams in Microsoft Teams that the user is a direct member of.
If I use the same email under which I registered the application in Active Directory, then getting the list on request to /me/joinedTeams is not difficult.
However, if I am using someone else's Teams account, I get an UnknownError when requesting /me/joinedTeams.
I noticed that after consent and authorization in the Microsoft Graph, the user has a token shorter than mine.
However, it works with other endpoints (/me and /drive/root).
Permissions are exposed in accordance with the documentation.
Permissions:
Directory.Read.All
Directory.ReadWrite.All
email
Files.Read
Files.Read.All
Files.Read.Selected
Group.Read.All
Group.ReadWrite.All
offline_access
openid
profile
Team.ReadBasic.All
TeamsAppInstallation.ReadWriteSelfForChat.All
TeamsAppInstallation.ReadWriteSelfForTeam.All
TeamsAppInstallation.ReadWriteSelfForUser.All
TeamSettings.Read.All
TeamSettings.ReadWrite.All
User.Read
User.Read.All
User.ReadWrite.All
enter image description here
Here you are getting the error because the /me/joinedTeams doesn't support personal accounts. See this document.
It works for /me and /drive/root because it supports personal accounts. See this document and this document.
We have to generate an online meeting request from our Dynamics CRM System. We tried using the Microsoft graphs API, and were able to generate the token. However while submitting the request, we get a 403 Forbidden Error. We have registered our application in Azure and also given the required API permissions.
I have attached the screenshots of our testing. I am testing this on my personal Azure test account.
Screenshots
The user has to consent the permission:
Consent experience
Azure AD will sign the user in and ensure their consent for the permissions your app requests.
At this point, the user will be asked to enter their credentials to authenticate with Microsoft. The Microsoft identity platform v2.0 endpoint will also ensure that the user has consented to the permissions indicated in the scope query parameter. If the user has not consented to any of those permissions and if an administrator has not previously consented on behalf of all users in the organization, they will be asked to consent to the required permissions.
I'm trying to hit https://graph.microsoft.com/v1.0/users/{userId}/mailboxSettings endpoint with an auth token and in return receiving a 403 Error Access Denied response.
I have granted both application level and delegated permissions for MailboxSettings.Read, MailboxSettings.ReadWrite. I can verify that these permissions are enabled on the installed application via examination of my decoded auth token with the jwt.ms. Here is the exert from the decoded token:
"scp": "Directory.AccessAsUser.All Files.ReadWrite.All Group.ReadWrite.All Mail.Read Mail.ReadWrite Mail.Send MailboxSettings.Read MailboxSettings.ReadWrite Sites.ReadWrite.All"
I have also verified that the user I am requesting mailboxSettings for has been granted access via Admin Consent.
I am able to return mailboxSettings if I hit the endpoint for either the admin userId or the https://graph.microsoft.com/v1.0/users/me/mailboxSettings endpoint. Any help would be much appreciated.
Quickly I tested with Microsoft Graph Explorer and it works for me. So i would request you to test the above API call with Graph Explorer and see if you can repro the issue or not.
I believe the problem is that your token was generated using Delegated scopes. The Delegated flavor of MailboxSettings.Read and MailboxSettings.ReadWrite may only access the currently authenticated user’s mailbox.
In order to access other users, you need to use Application scopes. You can read more about how these scopes work (and how to select them) in this blog post: Application vs Delegated Scopes.
As others have stated, delegated token only works for reading the mailboxSettings of the currently authenticated user. I had enabled mailboxSettings as an Application scope, yet I was getting the same error. The culprit of the issue was that I was using the Auth code grant for the token.
After switching to Client Credentials grant, I am successfully retrieving an Auth token that contains the mailboxSettings Application level scope, and am able to get 200 responses on endpoints for all users.